Univention Bugzilla – Bug 46595
SAML failover does not work
Last modified: 2019-03-08 16:46:33 CET
UCS 4.3 master, backup, 2 dc slaves. Test according to product tests: Login into 1 slave UMC, poweroff the DC the sso login was done against (check the syslog for that information). Login to the second slave umc should work because a valid session is shared via memchached. However, the login fails, the regular UMC login window is shown (no sso login) On the DC Backup the syslog shows: Mar 12 12:38:44 backup96 simplesamlphp[4653]: 5 STAT [c9c79990cf] saml20-idp-SSO https://slave98.ucs.local/univention/saml/metadata https://ucs-sso.ucs.local/simplesamlphp/saml2/idp/metadata.php NA Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/master.ucs.local.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0) Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] Backtrace: Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 11 /usr/share/simplesamlphp/www/_include.php:84 (SimpleSAML_error_handler) Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 10 [builtin] (MemcachePool::get) Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 9 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:50 (SimpleSAML_Memcache::get) Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 8 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:42 (SimpleSAML_Store_Memcache::get) Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 7 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:52 (SimpleSAML_SessionHandlerStore::loadSession) Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:325 (SimpleSAML_Session::getSession) Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 5 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:245 (SimpleSAML_Session::getSessionFromRequest) Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:54 (SimpleSAML_Auth_Simple::isAuthenticated) Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 3 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:264 (SimpleSAML_IdP::isAuthenticated) Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 2 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:404 (SimpleSAML_IdP::handleAuthenticationRequest) Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:389 (sspmod_saml_IdP_SAML2::receiveAuthnRequest) Mar 12 12:38:45 backup96 simplesamlphp[4653]: 3 [c9c79990cf] 0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A) But the local memcached on the backup has a valid session: nc -U /var/run/univention-saml/memcached.socket stats items stats cachedump 8 1 ITEM simpleSAMLphp.session.1ede7df8ecb7ad06f61c6e436a4c9c60 [357 b; 1520883452 s] END
# ucr get saml/idp/authsource univention-ldap
In theory "82_saml/19_IdP_on_backup" should test that.
This may be a browser DNS resolution timing problem. I managed to get it working by giving the browser time to contact the 2nd address ucs-soo resolves to (but it didn't always work). When it had worked, when logging out, my browser was redirected from the slave to the master - which wasn't available, resulting in an error page. The redirected URL was: https://<master FQDN>/univention/saml/slo/?SAMLRequest=jZJRb9sgEM... This may be a separate bug.
(In reply to Jürn Brodersen from comment #2) > In theory "82_saml/19_IdP_on_backup" should test that. Ok it seems that test doesn't check the failover, only the load balancing.